Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Background
Discussion
Related Work
Conclusions and Future Work
References

Applying TAME to I/O automata: A user's perspective

Profile image of Myla ArcherMyla Archer

Abstract

Mechanical theorem provers have been shown to expose proof errors, some of them serious, that humans miss. Mechanical provers will be applied more widely if they are easier to use. The tool TAME (Timed Automata Modeling Environment) provides an interface to the prover PVS to simplify specifying and proving properties of automata models.

Related papers

Translating Timed I/O Automata Specifications for Theorem Proving in PVS
Hongping Lim, Sayan Mitra

Lecture Notes in Computer Science, 2005

The timed input/output automaton modeling framework is a mathematical framework for specification and analysis of systems that involve discrete and continuous evolution. In order to employ an interactive theorem prover in deducing properties of a timed input/output automaton, its statetransition based description has to be translated to the language of the theorem prover. This thesis describes a tool for translating from TIOA, the formal language for describing timed input/output automata, to the language of the Prototype Verification System (PVS)-a specification system with an integrated interactive theorem prover. We describe the translation scheme, discuss the design decisions, and briefly present case studies to illustrate the application of the translator in the verification process.

View PDFchevron_right
Mechanical verification of timed automata: a case study
Constance Heitmeyer

1996

The paper reports the results of a case study on the feasibility of developing and applying mechanical methods, based on the proof system PVS, to prove propositions about real time systems specified in the Lynch-Vaandrager timed automata model. In using automated provers to prove propositions about systems described by a specific mathematical model, both the proofs and the proof process can be simplified by exploiting the spectral properties of the mathematical model. The paper presents the PVS specification of three theories that underlie the timed automata model, a template for specifying timed automata models in PVS and an example of its instantiation, and both hand proofs and the corresponding PVS proofs of two propositions. It concludes with a discussion of our experience in applying PVS to specify and reason about real time systems modeled as timed automata

View PDFchevron_right
Decomposing Verification of Timed I/O Automata
Dilsun Kaynar

Lecture Notes in Computer Science, 2004

This paper presents assume-guarantee style substitutivity results for the recently published timed I/O automaton modeling framework. These results are useful for decomposing verification of systems where the implementation and the specification are represented as timed I/O automata. We first present a theorem that is applicable in verification tasks in which system specifications express safety properties. This theorem has an interesting corollary that involves the use of auxiliary automata in simplifying the proof obligations. We then derive a new result that shows how the same technique can be applied to the case where system specifications express liveness properties.

View PDFchevron_right
Specifying and proving properties of timed I/O automata using Tempo
Myla Archer

Design Automation for Embedded Systems, 2008

Timed I/O automata (TIOA) is a mathematical framework for modeling and verification of distributed systems that involve discrete and continuous dynamics. TIOA can be used for example, to model a real-time software component controlling a physical process. The TIOA model is sufficiently general to subsume other models in use for timed systems. The Tempo Toolset, currently under development, is aimed at supporting system development based on TIOA specifications. The Tempo Toolset is an extension of the IOA toolkit, which provides a specification simulator, a code generator, and both model checking and theorem proving support for analyzing specifications. This paper focuses on the modeling of timed systems and their properties with TIOA and on the use of TAME4TIOA, the TAME 1 (Timed Automata Modeling Environment) based theorem proving support provided in Tempo, for proving system properties, including timing properties. Several examples are provided by way of illustration.

View PDFchevron_right
TAME: A PVS interface to simplify proofs for automata models. UITP, July 1998.[8] Michael D. Ernst. Summary of dynamically discovering likely program …
Myla Archer

2001

Although a number of mechanical provers have been introduced and applied widely by academic researchers, these provers are rarely used in the practical development of software. For mechanical provers to be used more widely in practice, two major barriers must be overcome. First, the languages provided by the mechanical provers for expressing the required system behavior must be more natural for software developers. Second, the reasoning steps supported by mechanical provers are usually at too low and detailed a level and therefore discourage use of the prover. To help remove these barriers, we are developing a system called TAME, a high-level user interface to PVS for specifying and proving properties of automata models. TAME provides both a standard speci cation format for automata models and numerous high-level proof steps appropriate for reasoning about automata models. In previous work, we have shown how TAME can be useful in proving properties about systems described as Lynch-Vaandrager Timed Automata models. TAME has the potential to be used as a PVS interface for other speci cation methods that are specialized to de ne automata models. This paper rst describes recent improvements to TAME, and then presents our initial results in using TAME to provide theorem proving support for the SCR (Software Cost Reduction) requirements method, a method with a wide range of other mechanized support.

View PDFchevron_right
Reusable PVS Proof Strategies for Proving Abstraction Properties of I/O Automata
Myla Archer

Fifth Workshop on Strategies in Automated Deduction

Reusable PVS Proof Strategies for Proving Abstraction Properties of I/O Automata∗ Sayan Mitra Myla Archer MIT Comp. Sci. and AI Laboratory Naval Research Laboratory 32 Vassar Street Code 5546 Cambridge, MA 02139 Washington, DC 20375 mitras@ csail. mit. edu ...

View PDFchevron_right
From I/O Automata to Timed I/O Automata - A solution to the `Generalized Railroad Crossing' in Isabelle/HOLCF
Bernd Grobauer

1999

The model of timed I/O automata represents an extension of the model of I/O automata with the aim of reasoning about realtime systems. A number of case studies using timed I/O automata has been carried out, among them a treatment of the so-called Generalized Railroad Crossing (GRC). An already existing formalization of the metatheory of I/O automata within Isabelle/HOLCF allows for fully formal tool-supported verification using I/O automata. We present a modification of this formalization which accomodates for reasoning about timed I/O automata. The guiding principle in choosing the parts of the metatheory of timed I/O automata to formalize has been to provide all the theory necessary for formalizing the solution to the GRC. This leads to a formalization of the GRC, in which not only the correctness proof itself has been formalized, but also the underlying meta-theory of timed I/O automata, on which the correctness proof is based.

View PDFchevron_right
TAME: Using PVS strategies for special-purpose theorem proving
Myla Archer

Annals of Mathematics and Artificial Intelligence - AMAI, 2000

TAME Timed Automata Modeling Environment, an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I O automata, Lynch-Vaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theories, and a set of specialized PVS strategies that rely on these theories and on the structure of automata speci cations using the templates. Use of the TAME strategies simpli es the process of proving automaton properties, particularly state and transition invariants. TAME provides two t ypes of strategies: strategies for automatic" proof and strategies designed to implement natural" proof steps, i.e., proof steps that mimic the high-level steps in typical natural language proofs. TAME's natural" proof steps can be used both to mechanically check hand proofs in a straightforward way and to create proof scripts that can be understood without executing them in the PVS proof checker. Several new PVS features can be used to obtain better control and e ciency in user-de ned strategies such a s those used in TAME. This paper describes the TAME strategies, their use, and how their implementation exploits the structure of speci cations and various PVS features. It also describes several features, currently unsupported in PVS, that would either allow additional natural" proof steps in TAME or allow existing TAME proof steps to be improved. Lessons learned from TAME relevant to the development of similar specialized interfaces to PVS or other theorem provers are discussed.

View PDFchevron_right
Towards machine-verified proofs for I/O
Marko van Eekelen, Andrew Butterfield

2004

View PDFchevron_right
From I/O automata to timed I/O automata: A solution to the 'generalized railroad crossing
Bernd Grobauer

1999

Abstract. The model of timed I/O automata represents an extension of the model of I/O automata with the aim of reasoning about realtime systems. A number of case studies using timed I/O automata has been carried out, among them a treatment of the so-called Generalized Railroad Crossing (GRC). An already existing formalization of the metatheory of I/O automata within Isabelle/HOLCF allows for fully formal tool-supported verification using I/O automata. We present a modification of this formalization which accomodates for reasoning about timed I/O automata. The guiding principle in choosing the parts of the metatheory of timed I/O automata to formalize has been to provide all the theory necessary for formalizing the solution to the GRC. This leads to a formalization of the GRC, in which not only the correctness proof itself has been formalized, but also the underlying meta-theory of timed I/O automata, on which the correctness proof is based. 1

View PDFchevron_right

References (32)

  1. A. Alborghetti, A. Gargantini, and A. Morzenti. Providing automated support to deductive analysis of time critical systems. In Proc. 6th Eur. Software Eng. Conf. (ESEC/FSE'97), Lect. Notes in Comp. Sci., pages 211{226. Springer-Verlag, 1997.
  2. M. Archer. Tools for simplifying proofs of properties of timed automata: The TAME template, theories, and strategies. Technical Report NRL/MR/5540{99- 8359, NRL, Wash., DC, 1999.
  3. M. Archer and C. Heitmeyer. Mechanical veri cation of timed automata: A case study. In Proc. 1996 IEEE Real-Time Technology and Applications Symp. (RTAS'96). IEEE Computer Society Press, 1996.
  4. Myla Archer and Constance Heitmeyer. Human-style theorem proving using PVS. In Theorem Proving in Higher Order Logics (TPHOLs'97), volume 1275 of Lect. Notes in Comp. Sci., pages 33{48. Springer-Verlag, 1997.
  5. Myla Archer and Constance Heitmeyer. Verifying hybrid systems modeled as timed automata: A case study. In Hybrid and Real-Time Systems (HART'97), volume 1201 of Lect. Notes in Comp. Sci., pages 171{185. Springer-Verlag, 1997.
  6. Myla Archer, Constance Heitmeyer, and Steve Sims. TAME: A PVS interface to simplify proofs for automata models. In Proc. User Interfaces for Theorem Provers 1998, Eindhoven, Netherlands, July 1998. Eindhoven Univ. of Technology.
  7. Oleg Cheiner. Private communication. February, 1999.
  8. M. Devillers. Veri cation of a tree-identity protocol. See the URL http://www.cs.kun.nl/ marcod/1394.html, 1997.
  9. M. Devillers, D. Gri oen, J. Romijn, and F. Vaandrager. Veri cation of a leader election protocol|formal methods applied to IEEE 1394. Formal Methods in Sys- tem Design. To appear.
  10. Marco Devillers. Private communication. January, 1999.
  11. S. J. Garland and N. A. Lynch. The IOA Language and Toolset: Support for Designing, Analyzing, and Building Distributed Systems. Draft. MIT Lab. for Computer Sci., August, 1998.
  12. C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements speci cations. IEEE Trans. on Softw. Eng., 24(11), November 1998.
  13. Pertti Kellomaki. Mechanical Veri cation of Invariant Properties of DisCo Speci- cations. PhD thesis, Tampere University of Technology, Finland, November 1997.
  14. L. Lamport. How to write a proof. Technical report, Digital Equipment Corp., System Research Center, February 1993. Research Report 94.
  15. Patrick Lincoln. Private communication. July, 1998.
  16. Victor Luchangco. Using simulation techniques to prove timing properties. Mas- ter's thesis, MIT, June 1995.
  17. N. Lynch and M. Tuttle. An introduction to Input/Output automata. CWI- Quarterly, 2(3):219{246, September 1989. Centrum voor Wiskunde en Informatica, Amsterdam, The Netherlands.
  18. N. Lynch and F. Vaandrager. Forward and backward simulations for timing-based systems. In Proc. of REX Workshop \Real-Time: Theory in Practice", volume 600 of Lect. Notes in Comp. Sci., pages 397{446. Springer-Verlag, 1991.
  19. Olaf Mueller. A Veri cation Environment for I/O Automata Based on Formalized Meta-Theory. PhD thesis, Technische Universitaet Muenchen, September 1998.
  20. J. Romijn. Tackling the RPC-Memory Speci cation Problem with I/O automata. Addendum. URL http://www.cwi.nl/ judi/papers/dagstuhl proofs.ps.gz.
  21. J. Romijn. Tackling the RPC-Memory Speci cation Problem with I/O automata. In M. Broy, S. Merz, and K. Spies, editors, Formal Systems Speci cation | The RPC-Memory Speci cation Case, volume 1169 of Lect. Notes in Comp. Sci., pages 437{476. Springer-Verlag, 1996.
  22. P. Rudnicki and A. Trybulec. A note on \How to Write a Proof". In Proc. 1992 Workshop on Types and Proofs for Programs, June 1996.
  23. N. Shankar, S. Owre, and J. Rushby. The PVS proof checker: A reference manual. Technical report, Computer Science Lab., SRI Intl., Menlo Park, CA, 1993.
  24. J. Skakkebaek and N. Shankar. Towards a duration calculus proof assistant in PVS. In Third Intern. School and Symp. on Formal Techniques in Real Time and Fault-Tolerant Systems, Lect. Notes in Comp. Sci. Springer-Verlag, 1994.
  25. If a node has left the initial stage then all links, or all links but one, are child links. I4(e; f; v) target(e) = target(f) = v ^e 6 = f ! init v] _ child e] _ child(f)
  26. If a node is in the initial stage, then none of its neighbors is involved in root con- tention.
  27. If a node is involved in root contention, then all its incoming links are empty. I8(e) contention target(e)] ! mq e] = empty
  28. A node never sends a parents request to its children. I10(e) mq e] 6 = empty ^:hd(mq e]) ! :child e ?1 ]
  29. Two nodes can never be children of each other. I11(e) child e] ! :child e ?1 ]
  30. All incoming liks of the source of a child link, except for its inverse, are child links as well.
  31. There is at most one node for which all incoming links are child links. I15 (9v8e 2 to(v) : child e]) ! (9!v8e 2 to(v) : child e])
  32. 7 We have dropped the argument v to I15.

Related papers

Developing strategies for specialized theorem proving about untimed, timed, and hybrid I/O automata
Myla Archer

In this paper we discuss how we intend to develop a specialized theorem proving environment for the Hybrid I/O Automata (HIOA) framework 6] over the PVS 10] theorem prover, and some of the issues involved. In particular, we describe approaches to using PVS that allow and encourage the development of useful proof strategies, and note some desired PVS features that would further help us to do so for our HIOA environment.

View PDFchevron_right
Proving invariants of I/O automata with TAME
Elvinia Riccobene

2002

This paper describes a specialized interface to PVS called TAME (Timed Automata Modeling Environment) which provides automated support for proving properties of I/O automata. A major goal of TAME is to allow a software developer to use PVS to specify and prove properties of an I/O automaton efficiently and without first becoming a PVS expert.

View PDFchevron_right
TAME: A PVS Interface to Simplify Proofs for Automata Models
Constance Heitmeyer

1998

Although a number of mechanical provers have been introduced and applied widely by academic researchers, these provers are rarely used in the practical development of software. For mechanical provers to be used more widely in practice, two major barriers must be overcome. First, the languages provided by the mechanical provers for expressing the required system behavior must be more natural for software developers. Second, the reasoning steps supported by mechanical provers are usually at too low and detailed a level and therefore discourage use of the prover. To help remove these barriers, we are developing a system called TAME, a high-level user interface to PVS for specifying and proving properties of automata models. TAME provides both a standard speci cation format for automata models and numerous high-level proof steps appropriate for reasoning about automata models. In previous work, we have shown how TAME can be useful in proving properties about systems described as Lynch-Vaandrager Timed Automata models. TAME has the potential to be used as a PVS interface for other speci cation methods that are specialized to de ne automata models. This paper rst describes recent improvements to TAME, and then presents our initial results in using TAME to provide theorem proving support for the SCR (Software Cost Reduction) requirements method, a method with a wide range of other mechanized support.

View PDFchevron_right
TAME: A Specialized Specification and Verification System for Timed Automata
Constance Heitmeyer

1996

Assuring the correctness of speci cations of realtime systems can involve signi cant human e ort. The use of a mechanical theorem prover to encode such speci cations and to verify their properties could signicantly reduce this e ort. A barrier to routinely encoding and mechanically verifying speci cations has been the need rst to master the speci cation language and logic of a general theorem proving system. Our approach to overcoming this barrier is to provide mechanical support for producing speci cations and verifying proofs, specialized for particular mathematical models and proof techniques. We are currently developing a mechanical veri cation system called T AME Timed Automata Modeling Environment that provides this specialized support using SRI's Prototype V eri cation System PVS. Our system is intended t o p ermit steps in reasoning similar to those in hand proofs that use model-speci c techniques. TAME has recently been used to detect errors in a realistic example.

View PDFchevron_right
Using TAME to prove invariants of automata models: Two case studies
Elvinia Riccobene

2000

Abstract TAME is a special-purpose interface to PVS designed to support developers of software systems in proving properties of automata models. One of TAME's major goals is to allow a software developer who has basic knowledge of standard logic, and can do hand proofs, to use PVS to represent and to prove properties about an automaton model without first becoming a PVS expert.

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved